Enhancements for Authentication Using Smart Cards on Windows Endpoints

Where Can I Use This?	What Do I Need?
GlobalProtect Subscription License	GlobalProtect app version 6.3.0 or later GlobalProtect app running on Windows endpoints

If you have configured Connect Before Logon- On-demand mode for the GlobalProtect app with smart card authentication as the authentication method, the app now provides the flexibility to the end users to authenticate to the app either using smart card or using their username/password. With this feature enabled, the GlobalProtect app displays two authentication profiles for the enduser in the Portals drop-down on the app homepage; a profile with <smartcard> and another profile with <no smartcard>. From the two available options, the end users can choose their preferred authentication profile. The profile with <smartcard> option allows the end user to authenticate to the app using the smart card authentication method whereas the profile with <no smartcard> option allows them to authenticate to the app using their username and password.

For example, if end users forget to bring their smart card to work, they can choose the authentication profile with <no smartcard> from the Portals drop-down and can use their username and password to authenticate to the app. If smart card is available, they can use the profile with <smartcard> and authenticate using smart card authentication.

This feature will work only when ActivClient software is installed on the device, if you have configured Connect Before Logon method for the GlobalProtect app.

If Always-On connect method is configured for the GlobalProtect app and authentication profile keys are predeployed, the default profile option <smartcard> will be selected. The end user has the option to disconnect the app and change the profile option if required.

If On-Demand connect method is configured for the GlobalProtect app and authentication profile keys are predeployed, the end user can choose either <smartcard> or <no smartcard> option from the app user interface (Portals drop-down).

If you have configured Connect Before Logon- On-demand mode for the GlobalProtect app with smart card authentication as the authentication method, the app now displays the authentication profile options with or without the PIV smart card.

For the GlobalProtect app to display the authentication profile options with or without the PIV smart card, you must:

1. Ensure that Connect Before Logon (CBL) is configured with On-demand mode for the GlobalProtect app.
2. Select the Allow Authentication with User Credentials OR Client Certificate option while configuring the GlobalProtect gateway and portal. This option defines whether users can authenticate to the portal or gateway using credentials and/or client certificates.
3. In the Windows Registry, define the predeployment settings for the app to display the authentication profile options with <smartcard> and <no smartcard>.

   1. Launch the Command Prompt and enter regedit to open the Windows Registry.
   2. In the Windows Registry, go to: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\.
   3. Click Edit and then select NewString Value.
   4. When prompted, specify the Name of the new registry value as PIV-profile.
   5. Right-click the new registry value and Modify it.
   6. Set the Value Data to yes
   7. Click OK.

   To predeploy the setting from Windows Installer (Msiexec) use the following syntax:

   msiexec.exe / globalprotect64.msi /i PIVPROFILE=yes

   Customize the Windows Registry Keys for Profile Options

   Starting with GlobalProtect version 6.3.1, you can predeploy the customized registry key values for the profile options; <PIV> and <NO PIV>.

   • The <PIVString> key is available in the Windows Registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings
   • The <NoPIVString> key is available in the Windows Registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings